Openssl aes-*-cbc is broken


#1

e$B@.@%$G$9!#e(B

openssl e$B%b%8%e!<%k$Ne(B AES (CBC mode) e$B$,;H$($J$$$h$&$G$9!#e(B

require’openssl’
c1 = OpenSSL::Cipher::Cipher.new(“AES-256-CBC”)
c2 = OpenSSL::Cipher::Cipher.new(“AES-256-CBC”)
pass = “open sesame!”
data = “Hello world!”
c1.pkcs5_keyivgen(pass)
s1 = c1.encrypt.update(data) + c1.final
c2.pkcs5_keyivgen(pass)
s2 = c2.decrypt.update(s1) + c2.final
p(data == s2) #=> true

e$B$r<B9T$7$h$&$H$9$k$H!"e(Bc2.final e$B$G0J2<$N%(%i!<$,H/@8$7$^$9!#e(B
OpenSSL::CipherError: bad decrypt
from (irb):359:in OpenSSL::Cipher::Cipher#final' from (irb):359:inKernel#binding’
from :0

aes-128-cfb aes-128-ecb aes-128-ofb e$B$H$$$C$?e(B
CBC e$B0J30$N%b!<%I$G$OF0:n$7$^$9$7!"e(B
AESe$B0J30$NJ}<0$Ne(B CBC e$B$OF0:n$7$^$9!#e(B
e$B$^$?!"e(Bopenssl e$B%3%^%s%I$+$i$@$HF0:n$9$k$N$G!“e(B
Ruby/OpenSSL
e$B$NLdBj$@$H;W$&$N$G$9$,!”$=$l0J>e$OD4$Y@Z$l$^$;$s$G$7$?!#e(B

e$B$H$3$m$G!"e(BOpenSSL::Cipher::AESe$B$G$9$,!"e(B
openssl e$B$G$Oe(B -aes e$B$,L5$$$?$a!"e(B
OpenSSL::Cipher::AES.new(256, ‘cbc’)
e$B$J$I$H$7$J$$$H=i4|2=$G$-$^$;$s!#e(B

OpenSSL::Cipher::AES128, OpenSSL::Cipher::AES192,
OpenSSL::Cipher::AES256 e$B$J$i$P!"e(B
e$B$=$l$>$le(B -aes128, -aes192, -aes256 e$B$HBP1~$9$k$?$a!"e(B
e$B0z?t$J$7$G%$%s%9%?%s%9$r:n$l$k$N$G$$$$$H;W$&$N$G$9$,!#e(B


#2

In message removed_email_address@domain.invalid,
`“NARUSE, Yui” removed_email_address@domain.invalid’ wrote:

openssl e$B%b%8%e!<%k$Ne(B AES (CBC mode) e$B$,;H$($J$$$h$&$G$9!#e(B

e$B;n$7$F$_$k$He(BECBe$B$bF1MM$G$7$?!#e(B

aes-128-cfb aes-128-ecb aes-128-ofb e$B$H$$$C$?e(B
CBC e$B0J30$N%b!<%I$G$OF0:n$7$^$9$7!"e(B
AESe$B0J30$NJ}<0$Ne(B CBC e$B$OF0:n$7$^$9!#e(B
e$B$^$?!"e(Bopenssl e$B%3%^%s%I$+$i$@$HF0:n$9$k$N$G!“e(B
Ruby/OpenSSL e$B$NLdBj$@$H;W$&$N$G$9$,!”$=$l0J>e$OD4$Y@Z$l$^$;$s$G$7$?!#e(B

e$B$J$s$G$=$&$J$k$+$O$A$c$s$HD4$Y$F$J$$$N$G$9$,!"80$He(BIVe$B$r%;%C%He(B
e$B$9$kA0$Ke(Bencrypte$B$r8F$V$HF0$/$h$&$G$9!#e(B

% ruby -e ’
require “openssl”
pass = “open sesame!”
data = “Hello world!”

c1 = OpenSSL::Cipher::Cipher.new(“AES-256-CBC”)
c1.encrypt
c1.pkcs5_keyivgen(pass)
s1 = c1.update(data) + c1.final

c2 = OpenSSL::Cipher::Cipher.new(“AES-256-CBC”)
c2.decrypt
c2.pkcs5_keyivgen(pass)
s2 = c2.update(s1) + c2.final
p(data == s2) #=> true

OpenSSL::Cipher::AES128, OpenSSL::Cipher::AES192,
OpenSSL::Cipher::AES256 e$B$J$i$P!"e(B
e$B$=$l$>$le(B -aes128, -aes192, -aes256 e$B$HBP1~$9$k$?$a!"e(B
e$B0z?t$J$7$G%$%s%9%?%s%9$r:n$l$k$N$G$$$$$H;W$&$N$G$9$,!#e(B

e$B$=$&$G$9$M!#$3$N5!2q$KDI2C$7$h$&$H;W$$$^$9!#e(B